Intel Security CenterINTEL:INTEL-SA-00674Intel® oneAPI Toolkits Advisory
0.002 Low
EPSS
Percentile
54.9%
Summary:
Potential security vulnerabilities in some Intel® oneAPI Toolkits may allow escalation of privilege. Intel is releasing software updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID: CVE-2022-25987
Description: Improper handling of Unicode encoding in source code to be compiled by the Intel® C++ Compiler Classic before version 2021.6 for Intel® oneAPI Toolkits before version 2022.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
CVSS Base Score: 8.3 High
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVEID: CVE-2022-26843
Description: Insufficient visual distinction of homoglyphs presented to user in the Intel® oneAPI DPC++/C++ Compiler before version 2022.1 for Intel® oneAPI Toolkits before version 2022.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
CVSS Base Score: 8.3 High
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVEID: CVE-2022-25992
Description: Insecure inherited permissions in the Intel® oneAPI Toolkits oneapi-cli before version 0.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVEID: CVE-2022-26512
Description: Uncontrolled search path element in the Intel® FPGA Add-on for Intel® oneAPI Base Toolkit before version 2022.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H****
CVEID: CVE-2022-26345
Description: Uncontrolled search path element in the Intel® oneAPI Toolkit OpenMP before version 2022.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-26062
Description: Uncontrolled search path element in the Intel® Trace Analyzer and Collector before version 2021.6 for Intel® oneAPI HPC Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-25905
Description: Uncontrolled search path element in the Intel® oneAPI Data Analytics Library (oneDAL) before version 2021.5 for Intel® oneAPI Base Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-26425
Description: Uncontrolled search path element in the Intel® oneAPI Collective Communications Library (oneCCL) before version 2021.6 for Intel® oneAPI Base Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-26076
Description: Uncontrolled search path element in the Intel® oneAPI Deep Neural Network (oneDNN) before version 2022.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-26032
Description: Uncontrolled search path element in the Intel® Distribution for Python programming language before version 2022.1 for Intel® oneAPI Toolkits may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-26421****
Description: Uncontrolled search path element in the Intel® oneAPI DPC++/C++ Compiler Runtime before version 2022.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-26052
Description: Uncontrolled search path element in the Intel® MPI Library before version 2021.6 for Intel® oneAPI HPC Toolkit may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products:
Intel® oneAPI Toolkits before version 2022.2.
Intel® oneAPI DPC++/C++ Compiler before version 2022.1.
Intel® C++ Compiler Classic before version 2021.6
oneapi-cli before version 0.2.0 for Intel® oneAPI Toolkits.
Intel® FPGA Add-on for Intel® oneAPI Base Toolkit before version 2022.2
Intel® Trace Analyzer and Collector before version 2021.6.
Intel® oneAPI Data Analytics Library before version 2021.5.
Intel® oneAPI Collective Communications Library (oneCCL) before version 2021.6.
Intel® Distribution for Python programming language before version 2022.1
Intel® oneAPI Deep Neural Network (oneDNN) before version 2022.1
Intel® oneAPI DPC++/C++ Compiler Runtime before version 2022.0.
Intel® MPI Library before version 2021.6 for Intel® oneAPI HPC Toolkit.
Recommendation:
Intel recommends updating Intel® oneAPI Toolkit to version 2022.2 or later.
Toolkit updates are available for download at this location:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/toolkits.html>
Intel recommends updating Intel® oneAPI DPC++/C++ Compiler to version 2022.1 or later.
Toolkit updates are available for download at these locations:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html>
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html>
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/iot-toolkit-download.html>
Standalone updates are available for download at this location:
Intel recommends updating Intel® C++ Compiler (Classic) to version 2021.6 or later.
Toolkit updates are available for download at these locations:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html>
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/iot-toolkit-download.html>
Standalone updates are available for download at this location:
Intel recommends updating oneapi-cli to version 0.2.0 or later for Intel® oneAPI Toolkits.
Toolkit updates are available for download at this location:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/toolkits.html>
Standalone updates are available for download at this location:
<https://github.com/intel/oneapi-cli/releases>
Intel recommends updating Intel® FPGA Add-on for Intel® oneAPI Base Toolkit to version 2022.2 or later.
Toolkit updates are available for download at this location:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html>
Standalone updates are available for download at this location:
Intel recommends updating Intel® Trace Analyzer and Collector to version 2021.6 or later.
Toolkit updates are available for download at this location:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html>
Intel recommends updating Intel® oneAPI Data Analytics Library to version 2021.5 or later.
Toolkit updates are available for download at this location:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html>
Intel recommends updating Intel® oneAPI Collective Communications Library to version 2021.6 or later.
Toolkit updates are available for download at this location:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html>
Standalone updates are available for download at these locations:
<https://github.com/oneapi-src/oneCCL> <https://www.intel.com/content/www/us/en/developer/articles/tool/oneapi-standalone-components.html#oneccl>
Intel® Distribution for Python programming language to version 2022.1 or later
Toolkit updates are available for download at these locations:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html>
Standalone updates are available for download at this location:
Intel® oneAPI Deep Neural Network (oneDNN) to version 2022.1 or later.
Toolkit updates are available for download at this location:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html>
Standalone updates are available for download at this location:
Intel® oneAPI DPC++/C++ Compiler Runtime to version 2022.0 or later.
Toolkit updates are available for download at these locations:
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/base-toolkit-download.html>
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/hpc-toolkit-download.html>
<https://www.intel.com/content/www/us/en/developer/tools/oneapi/iot-toolkit-download.html>
Standalone updates are available for download at this location:
Intel recommends updating Intel® MPI Library to version 2021.6 or later for Intel® oneAPI HPC toolkit.
Standalone updates are available for download at this location:
Acknowledgements:
Intel would like to thank houjingyi CVE-2022-26062.
The following issues were found internally by Intel employees for CVE-2022-26843, CVE-2022-25992, CVE-2022-26512, CVE-2022-26345, CVE-2022-26425, CVE-2022-26076, CVE-2022-26032, CVE-2022-26421, CVE-2022-26052.
Intel would like to thank Intel employees Nikolay Petrov for CVE-2022-25905.****
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
Related
